The ENCRYPT Act Protects Encryption from U.S. State Prying

The ENCRYPT Act Protects Encryption from U.S. State Prying

It’s not just the Department of Justice and the FBI that want to undermine your right to private communications and secure devices—some state lawmakers want to weaken encryption, too. In recent years, a couple of state legislatures introduced bills to restrict or outright ban encryption on smartphones and other devices. Fortunately, several Congress members recently introduced their own bill to stop this dangerous trend before it goes any further.

The bill is called the ENCRYPT Act. EFF gladly supports it and thanks Representatives Ted Lieu (D-CA), Mike Bishop (R-MI), Suzan DelBene (D-WA), and Jim Jordan (R-OH) for sponsoring and co-sponsoring the bill.

Encryption—the technology used to secure data on phones and computers and keep digital messages safe from eavesdroppers—is under threat around the world. In the U.S., some of those threats have come from the Department of Justice and FBI, which want technology companies to purposefully and irresponsibly weaken encryption so that law enforcement can more easily get their hands on the contents of encrypted data and messages.

But the threats have come from individual U.S. states, too.

Two years ago, lawmakers in California and New York introduced statewide legislation that would’ve significantly limited their residents’ access to encrypted devices and services. In California, for example, Assembly Bill 1681 would have originally required that any smartphone sold in the state be “capable of being decrypted and unlocked by its manufacturer or its operating system provider.” To help compel this, manufacturers could have been subject to fines of $2,500 for every non-compliant device sold in the state.

This piecemeal approach to encryption is not just wrong-headed, it simply won’t work. If state legislatures individually meddle with encryption policy, we could see a landscape where Illinois residents can buy the latest iPhone and download messaging apps like Signal and WhatsApp, but Californians can’t. But the California and New York state bills, intended to help law enforcement catch criminals, ignored the reality that people could still cross into states where the technology is unrestricted to purchase encrypted devices. What’s more, it would be trivially easy for anyone to download encrypted messaging apps online, regardless of state laws.

The ENCRYPT Act would make sure this scenario doesn’t come to pass. In fact, the bill was originally introduced in 2016 as a bulwark against the California and New York state bills—both of which failed on their own.

The ENCRYPT Act would prevent U.S. states and local governments from compelling companies to weaken their encrypted products or store decryption keys for use on demand by law enforcement. It would also prevent states from prohibiting the sale and offering of certain devices and services based solely on their encryption capabilities. That means everyone across the United States, no matter what state they live in, could have equal access to strong encryption.

Of course, there are threats to encryption at the federal level as well, which is why EFF also supports the Secure Data Act. The Secure Data Act, which also has bipartisan sponsorship, would act as a perfect complement to the ENCRYPT Act by prohibiting courts and federal agencies from mandating weakened encryption or otherwise intentionally introducing security vulnerabilities. Together, the two bills would go a long way toward ensuring that strong encryption remains free of government interference in the United States.

Related Updates

Thanks to the success of projects like Let’s Encrypt and recent UX changes in the browsers, most page-loads are now encrypted with TLS. But DNS, the system that looks up a site’s IP address when you type the site’s name into your browser, remains unprotected by encryption. Because...

EFF, ACLU, and Stanford cybersecurity scholar Riana Pfefferkorn filed a petition in November 2018 asking a California federal court to make public a ruling that apparently denied a request by the Justice Department to force Facebook to break the encryption of its Messenger application in order to facilitate...

EFF is back this year at Vegas Security Week, sometimes affectionately known as Hacker Summer Camp. Stop by our booths at BSides, Black Hat, and DEF CON to find out about the latest developments in protecting digital freedom, sign up for our action alerts and mailing list, and...

Last week, news broke of a large financial settlement for the massive 2017 Equifax data breach affecting 147 million Americans. While the direct compensation to those harmed and the fines paid are important, it’s equally important to evaluate how much this result is likely to create strong incentives to...

Certbot has a brand new website! Today we’ve launched a major update that will help Certbot’s users get started even more quickly and easily. Certbot is a free, open source software tool for enabling HTTPS on manually-administered websites, by automatically deploying Let’s Encrypt certificates. Since we introduced it in...

San Francisco—The Electronic Frontier Foundation, ACLU and Stanford cybersecurity scholar Riana Pfefferkorn asked a federal appeals court today to make public a ruling that reportedly forbade the Justice Department from forcing Facebook to break the encryption of a communications service for users.Media widely reported last fall that a...

This week the federal Government Accountability Office (GAO) issued an update to its 2016 report on the FBI’s use of face recognition. The takeaway, which they also shared during a Congressional House Oversight Committee hearing: the FBI now has access to 641 million photos—including driver’s license and...

Fresno – On Wednesday, May 22, at 9 am, the Electronic Frontier Foundation (EFF) will argue that criminal defendants have a right to review and evaluate the source code of forensic DNA analysis software programs used to create evidence against them. The case, California v. Johnson, is on appeal...